Passwords & Locking Down Your Accounts
We all love passwords, right? They are so much fun. I'm going to give you some tools to solve the modern nightmare that is passwords. We've all been there, what's my password? Oh crap, I forgot my password, or you enter your password, you know your password's right and your bank is telling you it's wrong. Or you're like, oh, your password is expired. Or the one that I hate the most is your password does not meet our security guidelines it might have worked for your bank, it won't work for Facebook, it worked Facebook, it might not work for Twitter. How many of you have seen a pop up warning notice like this, right? That's enough to drive you crazy and we're seeing these all the time and it's only getting more complex. Now one of the reasons why companies do that is because people are crazy. In 2016 these are the five most popular passwords. Do you think criminals might know this? Possibly? Of course, think about this, one of the first things that the criminals do when they have a data ...
breach of 100 million accounts at Target or three billion accounts at Yahoo is they run statistical analysis software against all of those passwords and now they've got three billion data points from hacked accounts to say that Fluffy my cat was number 17 most popular password so the criminals know the most popular password and they've got tools that will automate breaking them as I will talk about. More crazy news. 47% of people use passwords that are over five years old. I know none of you would do this right? None of you. And 20% of people use passwords that are over a decade old. I'll talk about why that's a problem. 73% of people use the same password for multiple sites. Again nobody in this audience, I'm sure. But nearly 75% are using the same credentials across multiple sites. Why is that a bad idea? Because when the criminals get one password they try it against all the other sites and if you have one compromised account all of your accounts will fall like a domino. And may be thinking, well, might that be hard for them to do to sit there and type this all in? They don't type this all in, it's all automated, there are certain targets that they want. They want to break into banks they want to break into investment companies they want to break into your Amazon account where they can buy stuff. And so those are what I call the high value targets that criminals are going after. And so when your Yahoo password is leaked and you don't change it, right, or you're using a password that's over five years old the bad guys are gonna take that Yahoo password and try it against all the banks and stores that they possibly can. So if you don't change it, once again, screwed. So you need to change it. Now it's amazing to me some of the silly mistakes that people make with their passwords. They're mind-blowing. I've done investigations all over the world and the number of times that people tell me that they store all of their passwords in an Excel spreadsheet in Dropbox in clear text, I'm like, "That's not the approach I would have taken." So we'll talk about some password nightmares and what you can do to protect yourself. How many of you remember this occurring recently, right? Over a million people in Hawaii got a pop up on their phone that said, ballistic missile threat inbound to Hawaii, seek immediate shelter, this is not a drill. Now if you're eating your oatmeal or feeding your kids before taking them to school this would get your attention, right? I know we're all a little distracted in the morning but this would get your attention and of course it did to Hawaii, very peaceful island, suddenly threatened with nuclear war over breakfast. So, that's bad, and if that wasn't ridiculous enough one of the password stories that came out this I wanna share with you. It was reported that after this happened everybody wanted to go into the emergency operations center in Hawaii to say, "What's going on here?" And lots of media crews went in there including a film crew from Associated Press and they took pictures of the Executive Director of the Office of Emergency Services and they noticed that there were a whole bunch of computers in the background. And one of the computers that they noticed had a bunch of yellow stickies on the screen. And it turns out that the password for the emergency alert system was written on a yellow post-it, and, like, this was on CNN and all the other places. Now I can't tell you what that information is but since this is Creative Live and you guys are, like, all my new best friends, I'm gonna tell you, but don't tell anybody else, that the password for the Hawaii emergency alert system is warningpoint2to. And you could clearly, clearly see this. This is troubling for several reasons. Number one, you really shouldn't put the nuclear launch codes on a post-it just from a general security procedure I know many of you are not security experts, but, you don't want to do that. The second thing is, you don't want such a short, easy to guess password one that uses real words, like, warning point two, right? Super easy to get. Now I'm gonna have to tell you some sad news and I'll break it to you. When it comes to passwords, like, size matters size is really important when it comes to your passwords and here's some evidence to prove that. The longer your password is the longer it takes to crack with these automated tools. If you've got a four digit password it used to be maybe 20 minutes to break into it now it can be done in under a minute this slide is a bit old. If you've got an eight digit password, uppercase, lowercase, space bar, and all these other characters it could take up to 1000 years to do a brute force attack so what you choose matters. Because the first place people start are with the first 1000 most common passwords and then they start doing the brute force attack and they have a ton of automated tools that do that. I personally recommend that your password be at least 20 digits long, that is the new minimum, and why is the minimum increasing? Because you may have heard of something called Moore's law I see many unhappy faces, 20 digits, that's so hard. Because of Moore's law. As computing processing increases as software gets better, as the hacker tools get better, they can break longer and longer passwords much more quickly. So think long and strong, at least 20 digits. Now some of you are thinking, oh my God, I can't even keep track of all the remote controls in my life how am I possibly going to keep track of all the passwords in my life? Well, let's look at it. How should you handle passwords for dozens and dozens of accounts? This is not the way to do this, okay? I recommend strongly against this. There is a better way and that better way is known as a password manager or a password wallet. Let me change your life, this will change your life, and will make you much more secure in the long run. There's many companies that make password managers. These are two that are well recognized and highly regarded so these are the ones I'm going to talk about. Now why am I mentioning names of specific products you may be wondering. Because criminals have created their own password managers and uploaded them into the app stores. They come up with great names like, Number One Best Password Manager of the Universe and then they get all their criminal buddies and a bunch of A.I. bots to give it a million rankings to trick you to download these password managers and then you put in all your passwords and they go to Igor in Moscow, right? So only use reputable companies and Dashlane and 1Password are two of them. Now what do these tools do and how do they work? Well this is what Dashlane looks like. It makes it very, very easy to manage all of your passwords. You can just download the software there's a free version and a pay version, it's kind of freemium, and you put in all your passwords. And next time you go to a website it will log you in automatically. So you create one master password. The average person has well over 100 accounts online today and I'll talk about that later you can put all of them in there you create one master password, that's the new password, the only password that you need to remember, and Dashlane will keep all of this information and when you go to Amazon.com this software will work in the background to log you in, right? And it will create the 30, 40, 50 digit password for you without you ever having to think about it. It's not only more secure, it's a huge time saver, think about how much time we waste trying to log in to website after website you go in super fast. It works across multiple devices so it works on your phones, your tablets, whatever you may have out there, your laptops, and it syncs all of the data in real time. It also has some other cool features which is it allows you to share passwords with people in a secure and encrypted format. How many of you have ever sent or received the password in a plain email, right? That's a really bad idea it's like putting the nuclear launch codes on a postcard and sending them through the mail. Don't do that, you can safely share here. And one of the cool things about sharing is you can actually limit what people can do with the password. For example you can give them full rights or limited rights. With limited rights they can only use it for a certain period of time or they can't change the password, and the like, so it has a lot of convenient features. And here's an other awesome feature about Dashlane is that it knows about all the latest and greatest hacks. So if you go to log into Dashlane and it was announced three hours ago that Yahoo was hacked you're gonna get a pop up saying, hey, Yahoo was hacked, you have an account on Yahoo, do you wanna change your password now? So you can't be expected to follow all the news of all the hacks in the world, let them do that for you and it will prompt you to go ahead and change your password. It also has this really cool feature for what Marc calls Password Armageddon, right, when you need to get out of the country, the FBI's en route to your home, you need to get out the country and need to change 100 passwords all at once, it's one button. You can just automatically change all of your passwords instantaneously. Think about how long that would take you in the real world, right, as you were trying to search, what was my MySpace password again, right? It's gonna take awhile to find that data. Dashlane also comes with a really cool dashboard where it will rate your passwords, tell you how good they are, whether or not you've re-used them, how you compare to other people, and the like, so I like this, I like Dashlane, I think it's a really good solution. Now I can look out into this studio audience and see we have some very, very bright people here, you know who you are, not talking to everybody. But to the very, very bright people in the audience, just teasing, you may be thinking, why on earth would I use a password wallet or a password manager? Why would I give all of my passwords to those people? What happens if they get hacked? Then I'm screwed. It is a legitimate question. There have been attempted hacks against some of these password manager companies. Dashlane and 1Password have not been successfully hacked which is good news, there are some other very famous password managers that have been and thus I don't recommend those you can do a little bit of Googling and see if yours is one of the ones that's been hacked. But let's talk about some of the statistics and this is why I tell you to choose carefully and I name names, right? I don't want to have a philosophical discussion on cybersecurity, I wanna give you the tools that are gonna make you safer and these tools can do that. Now, as to whether or not you should trust all of your passwords in the cloud, even though it's all fully encrypted, or you should just keep them all locally, here's the reality. As we mentioned before 50% of people are using passwords that over five years old 75% of people are using the same password across multiple sites, and a lot of people are sending their passwords in open email or writing them down on yellow stickies, right? On balance for the average person you will be much, much safer using one of these tools than using what you're doing now because your cyber hygiene statistically stinks so this is a great way to up your game. And there's something else you can do. Once you write down that master password that has access to your 100 online accounts it's probably a good idea to remember it. And you don't want to put it on a yellow sticky, right? You can write it in a notebook, and you should, you should store it someplace safe you can put it in a safety deposit box or keep it at your Aunt Trudy's house something like that, but you should have it written down. Now for any of the millennials that are watching I just wanna say, this is paper, and a pencil, it's an older form of technology but it's highly secure. What I don't want you to do is go and download Dashlane create super long encrypted passwords and then take your master password and save it in a note on your iPhone, right? Really, really bad idea. Paper, offline, it's good, try it, I recommend it. Okay now that we've dealt with the nightmare of passwords from how to remember them all there's a great other feature that you can do to lock down your digital accounts like Fort Knox. And let's think about what Fort Knox was for those of you who don't know and perhaps our international audience Fort Knox was the biggest reserve of gold in the United States and we actually stored physical gold here in the United States because that was the highest value item that we had going back a few hundred years and therefore we guarded it judiciously. Today our Fort Knox is digital. The overwhelming majority of our data is perhaps one of our greatest possessions in so many different ways. Therefore we need to guard it and we need to create a digital Fort Knox. There was a study done that said we are clearly digital hoarders. To update it, we now, today, on average, have over 150 online accounts and you may be thinking, I don't have 150 online accounts, you do, you just don't think about them. There's the one for the doctor, the one for the insurance company, the one for your first kid's school, your second kid's school, the third kid's school, there's your three dating sites, there's the porn site, there's the email services, there's the 10 different stores, or 20 different stores that you shop on, the neighborhood association, and car insurance, and so on, and so on, and so on, and the number is growing. It's 150 today, we expect that, in the next five years, you're going to have 300 online accounts. So there's no way that you can manage all of these passwords by yourself which is why I recommend a password manager. But there's something else that you can do which is really going to help you, right? First I want you to understand that there are tools out there that can help you understand whether or not you've been hacked. How many of you would like to know truthfully and specifically whether or not one of your own actual accounts was hacked? Raise your hands. Okay, there are tools for that and that's what I wanna introduce you to. It turns out when Equifax is hacked, and Yahoo is hacked, and Target is hacked, a lot of the hackers post all of that information online and you can call that data. The New York Times has actually done this. So there is a website, and you can Google this address, how many times has your personal data been exposed, and you'll get to click on Anthem Blue Cross, and Target, and Equifax, and it'll show you all the different places where your data has been breached. And we're gonna have a bunch of hand outs and resource guides and these links to these sites are going to be in there for you. There's an other site that I really like which is called, Have I Been Pwned? Now I need to explain what Pwned is. Does anybody know Pwning is? Okay, no hackers in the audience. So hackers have their own little language and in hacker speak if you own somebody, you own their computer, you own their phone, it means that you have total control over it. But hackers like to play on words so rather than using the word owned they use the word pwned to describe having commandeered all of your devices. So if you say, "Dude, I totally pwned you." Pwned, with a P, just to be clear, pwned you, then that means that you own somebody's account. So you can go to Have I Been Pwned? And rather than having a generic view of whether or not your Equifax account was hacked, saying, "Oh, well you had an Equifax account, "you were hacked." That's what you'll see on the New York Times. With Have I Been Pwned you can put in your actual email address you don't have to put in any passwords just put in your Gmail address and it will show you on the next screen oh yeah, you were part of the LinkedIn one, and you were part of the Dropbox hack and all this other stuff and it's not generic it's based upon the fact that this site has gone through the dark web crawled all of those compromised accounts and your account and log in data is out there. So the address is haveibeenpwned.com you can find it out there. Now again I want to mention for those of you who purchase this class you're going to get a resource guide you're gonna get all types of links and tools that have all of this data, basically a class workbook and checklist and I'll talk about that several times so that you can get the info graphics and all the other stuff that comes with the class. Now on to the next huge thing that you can do to protect your passwords. Step number one, good password manager or wallet. Step number two, seeing which of your accounts has been compromised, step number three, is something called 2-Step Verification. What does that mean? When most of you log on today, you have your user name, and you have your password, and that's it. And the only thing that's required to verify you is your password. The fewer things to verify you, the less safe you are. That's why cyber security researchers created something called Two Step or Two Factor Authentication. It works like this. Rather than just your user name and your password there's a second factor, a second piece of information that will verify you into the system. So for example you'll enter your username and password and then you have to enter a separate verification code to let you in. If you don't have that second verification code that you'll receive usually on your mobile phone you won't get in. And without 2FA, you're really hosed again. Why? Because if you are one of the three billion people who had a Yahoo account that was hacked and your credentials are out there and you happen to use it for your bank or Amazon it will work. But if you have Two Factor Authentication turned on for your accounts it doesn't matter if they have your password 10 minutes ago they can't get in. Two Factor Authentication blocks all of those billions, literally billions, of stolen passwords and logon credentials from working because when the bad guy tries to get in or his automated script tries to get in he's going to see a pop up screen that says, please enter your second factor, and they don't have that. And here's another amazing statistic. 80% of data breaches involved compromised credentials. 80% of the time somebody breaks into an account is because your log in and password is out there. If you turn on Two Factor Authentication you have now reduced your risk by 80%. This is why I want everybody to have this information. If you know this, if you turn this on, this is a vast and significant drop in your cyber security risk posture. Now, how do you get access to this? How do you know how to set it up? There's two great sites that I'm gonna recommend to you. One is called turnon2fa.com. You can put in any site you want and it will explain to you step by step how to turn on Two Factor Authentication. I should mention too, Two Factor Authentication is absolutely free, it doesn't cost you anything, and once you have it set up it's really easy to use and it becomes total habit. The other site to check out is something called Two Factor Auth, twofactorauth.org they're competing sites, they basically do the same thing, but when you go to them, for example, you can type in Facebook on one of those sites and it will show you screen by screen how to turn on Two Factor Authentication for Facebook. There are hundreds of sites that offer free Two Factor Authentication including all of these. So it's a great way to lock down your iCloud account and we'll talk about what happens when you don't lock these down in a little bit. How do you get that second factor? How do you receive the information from these companies, your secret six, 10, eight digit password? It used to come all of the time via text message that was the most common way. But it turns out if hackers have compromised your mobile phone, and it's relatively easy to spoof a telephone number, they can intercept your SMS text message. So it turns out there is a lot of movement away from using an SMS text message to authenticate and in fact we're using something else. We're using encrypted apps and I want to recommend one very very highly called Google Authenticator. It is produced by Google, it is absolutely free, and it works with hundreds and hundreds of sites. So the way that it works is if you want to turn on Two Factor Authentication for Dropbox for Gmail, for Facebook or Twitter, you log in, you go to the right screen, you eventually go to your security settings, you'll click the box that says turn on 2FA, and then Facebook, Google or Twitter will show you a picture like this. Anybody know what this? Yes it's a QR code, right? And what you do to go ahead and sync your account with your one and only unique mobile phone is you turn on your camera and you take a picture of this. Google Authenticator will then record that and say, okay, I'm the Google Authenticator encrypted app, I see that based upon the data in this QR code this is now the Two Factor log on confirmation for your Facebook account. And then they'll ask you go ahead and enter your secret key. And once you enter the secret key from the Google Authenticator app you now have Two Factor Authentication turned on. This is what the Google Authenticator app looks like. It will say things like, this is the authentication number that you use for your Google account, and your Facebook account, and your Dropbox account, and the like, okay? And these numbers change every 60 seconds, okay? This is kind of like Mission Impossible, this message will self destruct in 10 seconds type stuff. Why is this so powerful? Why do I describe this as the Fort Knox of online accounts? Because that means regardless of where your data is and how many times it's leaked if the bad guys don't have the second factor to authenticate and to log in, they can't get in. And what makes it nigh impossible for them is that they've only got 60 seconds to try to pull this off so this is a really, really great way to secure your accounts and reduce that risk of online account theft by 80%. Now one other thing that you should do with your Two Factor Authentication is print backup codes. If you lose your phone you can't get in, okay? End of story. So you can try calling the 800 number for Facebook, right? We've all seen the 800 number for customer service. "Greetings, you've reached Facebook, how can we help you?" No, that doesn't work, you're screwed if you lose this. So all of the Two Factor Authentication sites and Google Authenticator allows you to print what are basically 10 one-time codes this is like old spy craft from World War where these are 10 secret numbers that you hide in your bedroom or your safety deposit box and after you use one you go ahead and scratch it off. Print this out and save it. The other thing you can do, again, is write this down. You wanna make sure that you've got a back up plan for your Two Factor Authentication so you can get into the accounts. Do that, solve that problem, and your accounts are locked down like Fort Knox and you've reduced your cyber risk by 80%. So I think that's pretty cool and it can make a real big difference in your lives and that's why I'm so happy to share it with you. We're at the end of the password section. Why don't we take some questions?
Is it safe to store the backup codes for the Two Factor Authentications in your password managers? If they let store secure notes is that safe?
That's a great question, but I wouldn't because what you want to do is eliminate as many potential failure points as possible. If your entire digital life is in your Dashlane for example and let's say your house burns down and you forget your master password for Dashlane and the piece of paper that you had it on was in your desk drawer now you've lost your master password for Dashlane and you won't be able to get in to those Two Factor Authentication printed codes. So that's why I really do suggest having something printed out on paper is a good idea and you'll hear me often say it's not a bad idea to keep them stored in a very safe place so maybe you have one in the house, maybe one in your safety deposit box, maybe at your sister's house, if you hate your sister, put it in your brother's house, because there are floods, fires, and other disasters that we'll talk about.